The Perfect Worm

Coming soon, a cell-phone virus that will wreck your life.

A year ago, I visited some of Europe’s top virus writers. These guys wrote everything from mass-mailing worms to “keyloggers,” programs that infect your desktop and record every keystroke. I asked them what they wanted to do next—what big targets loomed for virus hackers who had done everything. Each had the same answer: mobile phones.

Two weeks ago, antivirus companies discovered CommWarrior, the first significant mobile-phone worm to be released “in the wild.” The previous phone viruses you might have heard about were all pretty harmless. Cabir, which also made the news last month, uses Bluetooth to hop from one phone to others physically nearby. As Slate explained, that technique limits the virus’s ability to spread quickly—for Cabir to propagate, it has to be within 30 feet of a vulnerable Bluetooth phone.

CommWarrior is far more contagious. When it invades your phone, the worm rifles through your contacts list and mails a copy of itself to victims as a “multimedia message.” That’s a classic social-engineering trick: When a message comes from a friend, you’re much more likely to open it and get infected. Besides passing itself along to the next guy, CommWarrior doesn’t do much. The virus’ only payload is a flashing message—”OTMOP03KAM HET!”—that translates as “No to brain-deads!” in Russian.

While CommWarrior isn’t particularly dangerous, it is unsettling. Since you can send “multimedia messages” to compatible phones worldwide, this virus can spread more widely and more quickly than Cabir. (CommWarrior attacks smartphones that run Symbian’s “Series 60” operating system, such as Nokia’s 7610 or the N-Gage.) What’s really unsettling is that a fast-spreading mobile virus could cost you money.

Several security officials told me that a scam artist could write a worm that invades your phone, waits patiently until 4 a.m., then makes an hourlong call to an overseas phone-sex line that bills you by the minute. Sure, you could call your mobile carrier and plead that you didn’t make the call, but you’ll just seem like another in-denial porn hound. Pay up, pervert. Of course, once the scam became public, the FBI or some other government agency could try to shut the phone line down. But a scam like that only needs to operate for an hour to collect plenty of phone fees. And if the line is located in Russia or China—where most of today’s criminal viruses emerge—it could be almost impossible to shut it down quickly.

A worm like CommWarrior needs help to get its hooks into your phone. The mangled English subject lines—which include such gems as “Free SEX! Free *SEX* software for you!”—are a dead giveaway that you shouldn’t click. But the fact that you’re getting a saucy message on your phone rather than your computer will no doubt induce many clicks, simply because people will be curious or just won’t believe phone viruses are real.

Though no phone-sex-dialing cell-phone worms have yet emerged, there are precedents in the PC world—so-called “ rogue dialers” that reprogram modems to call expensive pay-per-call lines. Last year, a mobile virus called Mosquito started inducing handsets to send text messages to high-cost numbers. Fortunately, it didn’t spread.

Phone executives like to say that it’s easy for them to contain worms because their networks are gated communities. Verizon and Sprint can install antivirus software on their servers to automatically delete infected multimedia messages before they reach their victims. And if they notice that thousands of customers call the same phone-sex number at 4 a.m., they could simply interrupt those calls.

But that’s no help if the worm is designed to be slow and stealthy. Instead of calling a pay-per-call number every night at 4 a.m., the virus could make short, infrequent calls that most customers wouldn’t notice on their phone bills. The top identity-theft scammers already use this below-the-radar technique with credit cards and bank accounts. People are lazy—so long as their monthly bill isn’t too out of whack, they’ll usually pay up.

If they have all this money-making potential, why haven’t mobile-phone worms become an epidemic? Because the complex kind of viruses that can take over your phone can only run on sophisticated operating systems. Right now, only about 2 percent of all handsets are smartphones—too small a number to attract the attention of lots of virus authors. There are also so many brands of phones running so many different operating systems that it’s impossible to write a single virus that can infect them all—we’re protected by biodiversity.

The percentage of smartphones is growing rapidly, though, with Microsoft and Symbian each vying to create the single, standard cell-phone operatingsystem. A monocultured world of smartphone handsets would be a virus-writer’s dream—a single, massively popular piece of software to poke and prod for weaknesses and insecurities. Even worse, as Symbian, Microsoft, and their competitors stuff more whiz-bang capabilities into phones, security will suffer. It’s the iron law of programming: The more ambitious the software, the more gaping holes. Once smartphones have complex enough operating systems, it won’t be hard to write a worm that burrows in, harvests all your info, and squirts it out to a mailbox in Pakistan. That’s precisely what virulent computer worms like Sobig and Bugbear do.

The mobile-phone industry could solve the viral problem by developing an open-source, Linux-style cellular operating system. But that’s about as likely as Motorola and Nokia announcing that all your cell phone calls are going to be free. For now at least, the burden falls on you. If your phone starts offering you “Free SEX!”, be strong enough to say no.

Thanks to Mikko H. Hyppönen of F-Secure, Vincent Weaver of Symantec, Tom Pekar of Verizon Wireless, Rich Blasi of Cingular Wireless, and Greg Mastoras of Sophos.